MIDI PoC not exploitable for code execution

On Wednesday, a PoC was posted to milw0rm describing an “integer overflow” in Windows Media Player. We investigated the .mid file and found it to be a duplicate of a non-exploitable crash previously posted publicly on Bugtraq around Christmas, four months ago. We blogged about this same issue here: http://blogs.technet.com/srd/archive/2008/12/29/windows-media-player-crash-not-exploitable-for-code-execution.aspx

Here is what the crash looks like and the reason it is not exploitable:

ChildEBP RetAddr
0c7af6a0 7490222a quartz!MulDivRN+0x1a
0c7af6bc 74901c93 quartz!smfTicksToMillisecs+0x66
0c7af758 7491f7f2 quartz!CMIDIParse::ParseNewFile+0x126
0c7af770 74837a7f quartz!CSimpleReader::NotifyInputConnected+0x2e
0c7af784 748340b2 quartz!CBaseMSRInPin::CompleteConnect+0x3a
0c7af79c 7483df8d quartz!CBasePin::ReceiveConnection+0xc2
0c7af7bc 7483e7d7 quartz!CBasePin::AttemptConnection+0x54
0c7af7e0 7483e36f quartz!CBasePin::TryMediaTypes+0x64
0c7af80c 7483e2f9 quartz!CBasePin::AgreeMediaType+0x73
0c7af824 7483e048 quartz!CBasePin::Connect+0x55
0c7af850 7483e56b quartz!CFilterGraph::ConnectDirectInternal+0x40
0c7af8b0 7483ea76 quartz!CFilterGraph::RenderByFindingPin+0xad
0c7afb1c 74834cc0 quartz!CFilterGraph::RenderUsingFilter+0x201
0c7afb94 74834fe9 quartz!CFilterGraph::RenderViaIntermediate+0x2d8
0c7afbb0 74834f48 quartz!CFilterGraph::RenderRecursively+0x37
0c7afc80 129ec60b quartz!CFilterGraph::RenderFile+0x143

(da8.c0c): Integer overflow – code c0000095 (first/second chance not available)
eax=58d072e0 ebx=0000bb80 ecx=00017700 edx=0006c80a esi=0bdbaff0 edi=00000001
eip=74902121 esp=0c7af69c ebp=0c7af6a0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
74902121 f7f1 div eax,ecx

As we posted in the previous blog entry, the integer overflow exception is due to the div result being unable to fit in the 32bit EAX register. The calculation result is not later used for any memory manipulations so this is not an exploitable issue.

As always, we encourage responsible disclosure of potential vulnerabilities. Best way to report a vulnerability in any Microsoft product is secure@microsoft.com. Thanks.

Jonathan Ness and Chengyun, MSRC Engineering

*Postings are provided “AS IS” with no warranties, and confers no rights.*